Subversion Repositories ALCASAR

#!/bin/sh

#

# $Id: alcasar-iptables-local.sh 2854 2020-07-20 22:08:05Z rexy $

#

# Custom rules for ALCASAR firewall

#

# Examples:

# 	- Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)

#	- allow ICMP from an Internet IP address (Admin_from) to EXTIF

#	- allow SMTP from aLCASAR to an Internet server (SMTP_IP)

#	- PAT rules from Internet

#	- Deny access to protected networks from internal LAN

#	- Allow managers to access ACC from the external network

# This script inherit of alcasar-iptables.sh variables : $INTIF, $EXTIF, $IPTABLES, etc

# !!Beware, run the script "alcasar-iptables.sh" after changing this file. 

# Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)

if [ -s /usr/local/etc/alcasar-iptables-local-mac-filtered ]; then

	while read mac_line

	do

		ip_on=`echo $mac_line|cut -b1`

		if [ $ip_on != "#" ]

		then

			mac_filtered=`echo $mac_line|cut -d" " -f1`

			echo "MAC filtered = $mac_filtered"

			$IPTABLES -A FORWARD -i $INTIF        -m mac --mac-source $mac_filtered -j NFLOG --nflog-group 1 --nflog-prefix "$mac_filtered -- Filt_DROP"

			$IPTABLES -A FORWARD -i $INTIF -p tcp -m mac --mac-source $mac_filtered -j DROP

			$IPTABLES -A FORWARD -i $INTIF -p udp -m mac --mac-source $mac_filtered -j DROP

			$IPTABLES -A FORWARD -i $INTIF        -m mac --mac-source $mac_filtered -j DROP

		fi

	done < /usr/local/etc/alcasar-iptables-local-mac-filtered

fi

# On autorise le ping (echo & request) (ICMP N°0 & 8) en provenance d'Internet vers ALCASAR

# Allow ping (echo & request) (ICMP N°0 & 8) from Internet

#$IPTABLES -A INPUT  -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT

#$IPTABLES -A OUTPUT -o $EXTIF -d $Admin_from_IP -p icmp --icmp-type 0 -j ACCEPT

# On autorise ALCASAR a accéder à un serveur MAIL local (envoie de rapports, alertes, etc.)

# Allow ALCASAR to conect to a local mail server (send reports, alerts, etc.)

#SMTP_IP='192.168.111.5'		# IP of mail server

#SMTP_PORT=587			# port of mail server (25 for SMTP ; 587 for STARTTLS ; 465 for SMTPS)

#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport $SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

#$IPTABLES -A INPUT  -p tcp -s $SMTP_IP --sport $SMTP_PORT -m conntrack --ctstate ESTABLISHED     -j ACCEPT

# On autorise l'accès SSH depuis Internet (port 11222) vers un equipement du LAN (port 22). On réalise donc un "PAT" (Port Adresse Translation)

# Allow PAT (Port Adresse Translation) from INTERNET (port 11222) in order to connect to a LAN equipment on port 22 (SSH)

# example for the external UDP-TCP port 11222 which is redirected to the internal IP 192.168.182.10 on port 22

#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22

#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p udp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22

#$IPTABLES -A FORWARD -p tcp -d 192.168.182.10 --dport 22 -j ACCEPT

#$IPTABLES -A FORWARD -p udp -d 192.168.182.10 --dport 22 -j ACCEPT

# Deny access to protected networks from internal LAN

#protectedNetworks='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' # (RFC 1918)

#[ -n "$TUNIF" ] && consultationIF=$TUNIF || consultationIF=$INTIF

#$IPTABLES -A FORWARD -i $consultationIF -d $protectedNetworks -j DROP

#$IPTABLES -A FORWARD -o $consultationIF -s $protectedNetworks -j DROP

# Allow managers to access ACC from the external network

#managerIPs='192.168.111.10'

#externalPort='34443'

#$IPTABLES -t mangle -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j MARK --set-mark 100

#$IPTABLES -t nat    -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j DNAT --to $PRIVATE_IP:443

#$IPTABLES           -A INPUT      -i $EXTIF -s $managerIPs -p tcp --dport 443 -m mark --mark 100 -j ACCEPT